ยง2023-08-03

A SAN or subject alternative name. SAN is a structured way to indicate all of the domain names and IP addresses that are secured by the certificate. Included on the short list of items that are considered a SAN are subdomains and IP addresses.

When additional actions on a website need to be secured, the SANs need to be included on an SSL/TLS certificate so that the DNS server can resolve the IP address to the domain name. This will give the page the HTTPS indicator that meets browser guidelines and that give visitors confidence to transact on your website.

  1. Generate a Private KEY, mongoCA.key
alexlai@orpi5Arch chatGPT.x.509-02]$ openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

# openssl genpkey -algorithm RSA -out rootCA.key 
# openssl genpkey you could specify alogarith.  If alogarith is RSA, then it it the same as
# openssl genrsa
[alexlai@orpi5Arch chatGPT.x.509-02]$ openssl genrsa -out mongoCA.key -aes256 8192 
Enter PEM pass phrase:  <-- TxxxxYxxLxx#1nnn
Verifying - Enter PEM pass phrase:
  1. Create a self-signed root certificate, mongoCA.crt with the mongoCA.key private key.

2.1 - openssl.cnf

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = TW
ST = Taiwan
L = Taichung
O = YuShei Ltd.,
OU = Computer Department
CN = yushei.net
emailAddress = alexlai@munetaka.me
#
# the followings are the same
# countryName = Country Name (2 letter code)
# stateOrProvinceName = State or Province Name (full name)
# localityName = Locality Name (eg, city)
# organizationName = Organization Name (eg, company)
# organizationalUnitName        = Organizational Unit Name (eg, section)
# commonName = Common Name (e.g., your domain or server name)
# emailAddresss = Email Address (e.g., yourname@example.com)
#
[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = orgpi5arch.yushei.net
DNS.2 = hc4Jammy.yushei.net
DNS.3 = hc4MnMin.yushei.net
DNS.4 = n2Mnjaro.yushei.net
DNS.5 = h2Jammy.yushei.net
DNS.6 = h2Nnas01.yushei.net

openssl x509 -noout -text -in 'cerfile.cer'; display in text format

[ req_distinguished_name ] could be in this form

countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName	= Organizational Unit Name (eg, section)
commonName = Common Name (e.g., your domain or server name)
emailAddresss = Email Address (e.g., yourname@example.com)

2.2 create mongoCA-3650.crt good for 3650 days, 10 years

$ openssl req -x509 -new -nodes -key mongoCA.key -sha256 -days 3650 -out mongoCA-3650.crt -config ./openssl.cnf
Enter pass phrase for mongoCA.key:
$ ls
mongoCA-3650.crt  mongoCA.key  openssl.cnf
  1. create mongoCertificate.pem

openssl req -new -key mongoCA.key -out mongoServer.csr -config ./openssl.cnf openssl x509 -req -in mongoServer.csr -CA mongoCA-3650.crt -CAkey mongoCA.key -CAcreateserial -out mongoServer.crt -days 395 -extensions v3_req -extfile ./openssl.cnf $ openssl genrsa -out mongoCertificate.key -aes256 1028 cat mongoServer.crt mongoCertificate.key > mongoCertificate.pem

verify openssl verify -CAfile path/to/trusted/root/cert.pem path/to/certificate.pem

$ mongosh --host orgpi5arch.yushei.net --port 27999 --tlsCertificateKeyFile /opt/xfs/mongodb/x.509/orgpi5arch.yushei.net.pem --tlsCAFile /opt/xfs/mongodb/x.509/mongoCA.crt Current Mongosh Log ID: 64caf3bdab113446b655ca24 Connecting to: mongodb://orgpi5arch.yushei.net:27999/?directConnection=true&tlsCertificateKeyFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2Forgpi5arch.yushei.net.pem&tlsCAFile=%2Fopt%2Fxfs%2Fmongodb%2Fx.509%2FmongoCA.crt&appName=mongosh+1.10.1